Clean Power Research Support Center logo

PowerClerk Support Center

Project Pages
Project Admin Page
Locating the Project Admin Page
How to Use the Project Admin page
Project View/Edit Page
Locating the Project View/Edit Page
How to use the Project View/Edit Page
Program Design Menu
Agent Studio
AI Features Overview
Locating Agent Studio
Getting Started
Preview Agents
Agent Drafts
Configure Attachments
Monitor Agent Performance
Bulk Evaluation
Automations
Questions to Ask
Locating the Automations feature
How to create an Automation
Automation Triggers
Automation Action Rules
Validation Rules
Scheduled Triggers
Troubleshooting Automations
FAQs
Channels
Questions to ask yourself
Locating the Channels feature
What are Channels?
Types of Channels
Channel Type: Mark as Child
Channel Type: Make Successor
Channel Type: Create Related Project
Channel Type: Submit Related Project
Channel Type: Project Lookup
How to create a Channel
Channel Signals and Automations
Updating Channel Configurations
Using Channels in Test Environments
FAQs
Communications
Questions to ask yourself
Locating the Communications feature
Creating Communication templates
Finding Data Tags
Images in Communications
Sending Mass Communications
Project Attachments and Content Library Items
Smart Templates
Upgrading to Smart Templates
Upgrading when a Test Environment Exists
Broken Template Tags
Examples of Broken Template Tags
PowerClerk Mass Communication Policy
FAQs
Connections
Questions to ask yourself
Locating the Connections feature
What are Connections
How to Create a Web Connector
Define the Web Connector
Connecting, Testing, and Enabling the Web Connector
Creating a Web Connector Configuration
Utilizing Connections on PowerClerk
Maintaining and Editing the Web Connector
Web Connector Payload Type Format
Retrieving Project Information via Built in Fields
Error Handling
Custom List Lookup
Create a Custom List Lookup
Utilizing Custom List Lookup
FAQs
Content Library
Questions to ask yourself
Locating the Content Library feature
Uploading content to the Content Library
Use with Communication Templates
Use for Front Page content
FAQs
Custom API IDs
Questions to Ask
Locating the Custom API IDs feature
How to edit a Custom API ID
FAQs
Data Fields
Questions to ask yourself
Locating the Data Fields feature
Viewing Available Data Fields
Managing Data Fields
Attachment Data Fields
Referencing Data Fields with Template Tags
Text Validation Rules
Custom Lists and Data Field Groups
Table form element
Enabling PV + Battery Element
FAQs
Deadlines
Questions to ask yourself
Locating the Deadlines feature
What are Deadlines
How to Create a Deadline
Deadline Automation Action Rules
Utilizing Project Admin Page for Deadlines
Communication Templates for Deadlines
Deadline Set/Satisfy Options
Program-Wide Deadline Actions
Reporting on Deadlines
Deadlines in Project List Columns
FAQs
Document Templates
Questions to ask yourself
Locating the Document Templates feature
How to define a new Template
Configuring Excel Files using PowerClerk Data Field Tags
How to define a new Merged Document
eSignatures
DocuSign template tags
Mapping eSignature tags
Smart Templates
FAQs
eSignature Envelopes
Questions to Ask
Locating the eSignature Feature
What are eSignature Envelopes?
eSignature Checklist: The Prerequisites to create a new Envelope
How to set up Advanced eSignature Envelopes Step-by-Step
How to add an eSignature Envelope to a form
eSignature Automation Trigger
Viewing Completed eSignature Envelopes
Resending eSignature Notifications
Canceling eSignatures
FAQs
Forms
Questions to ask yourself
Locating the Forms feature
How to create and edit Forms
Adding data fields
Field Properties
Form Versions and Draft Forms
Configuring Forms
Form Field Elements
Standard Type Form Field Elements
Contact Type Form Field Elements
Address Autocomplete
Document Type Form Field Elements
Layout Type Form Field Elements
Special Type Form Field Elements
Location Form Element
Distributed Energy Resource (DER) Form Elements
Built-in Elements
Available Data Fields
Data Sources
Inverter Filtering
Estimated Production Calculation
FAQs
Conditional Visibility
Sensitive Data Fields
Exporting a Form to Excel
VersaForms
FAQs
Formulas and Calculated Fields
Questions to ask yourself
Locating the Formulas feature
How to work with Formulas and Calculated Fields
Formula Data Dictionary
Dynamic Formula References
Rules of Formula References
Advanced Visibility Rules
Video Guides: Formulas
FAQs
Front Page
Questions to ask yourself
Locating the Front Page feature
How to edit the Front Page
FAQs
Incentive Design
Questions to ask yourself
Locating the Incentive Design feature
How to create and edit Incentive Designs
Incentive Options for One-Time Incentive Type
Incentive Design Options
FAQs
Milestones
Questions to ask yourself
Locating the Milestones feature
How to define a Milestone
FAQs
Project List Columns
Questions to ask yourself
Locating the Project List Columns feature
How to use Project List Columns
FAQs
Project Summary
Questions to ask yourself
Locating the Project Summary feature
How to edit the Project Summary
FAQs
Project Views
Questions to ask yourself
Locating the Project Views feature
How to edit Project Views
FAQs
Roles
Questions to ask yourself
Locating the Roles feature
How to create and edit a Role
Access Groups
Access Groups and Automations
Access Groups and Data Imports
Access Groups and Reports
FAQs
Themes
Overview
How Themes are Stored in PowerClerk
Creating a Theme
PowerClerk Theme Example
Workflow
Questions to ask yourself
Locating the Workflow feature
How to create and edit the Workflow
Transitions
Workflow Example Overview
FAQs
Admin Menu
Announcements
Locating the Announcements feature
Creating an Announcement
Triggering an Announcement
Managing Announcements Topic List
Managing Announcement Topic Enrollment Via User Account
Prerequisites for Using Announcements
Business Days
Questions to ask yourself
Locating the Business Days feature
Setting up Business Days
FAQs
Dashboards
Questions to ask yourself
Locating the Dashboards feature
How to create widgets in your Dashboard
Other Dashboard Actions
Data Import
Questions to ask yourself
Locating the Data Import feature
Steps to Complete a Data Import
Data Import Configurations
Creating Projects in Production
Column Header Types
Automatic Data Imports via SFTP
Revert Data Imports
FAQs
Duplicate Check
Questions to ask yourself
Locating the Duplicate Check feature
How to use Duplicate Checks
FAQs
ePayment History
Locating the ePayments History feature
Using ePayment History
ePayment Management
Locating the ePayments Management feature
What is ePayment Management
Set Up Stripe ePayments
Configuring Transaction Fees
Configuring Payment Methods Availability
Import Projects
Questions to ask yourself
Locating the Import Projects feature
How to Import Projects
Managing Data Field Mappings
Copying Projects
Creating Projects
FAQs
Operation Status
FAQs
Questions to ask yourself
How to use the Operation Status feature
Locating the Operation Status feature
Program Info
Project Inquiry
Locating the Project Inquiry feature
How to edit the Project Inquiry Settings
Automating Communications for Project Inquires
Inquiry Summary
Questions to ask yourself
Locating the Program Info feature
How to edit the Program Info menu
Notification Banners
Usage Info
FAQs
Program Statistics
Questions to ask yourself
Locating the Program Statistics feature
FAQs
How to use Program Statistics
Reports
Questions to ask yourself
Locating the Reports feature
How to setup Reports
Multi-instance reports
Sharing Reports
Integrate scheduled Reports
Cross-Program Reports
Handling Sensitive Data in Reports
Viewing Report Failures
Maximum Number of Columns Allowed in a Report
FAQs
User Administration
Questions to ask yourself
Locating the User Administration feature
How to work with User Administration
FAQs
Test Environment
What are Test Environments
Locating the Test Environment feature
How to Open a Test Environment
Questions to ask yourself
Test Environment Behavior
PowerClerk Sandbox Instance
FAQs
Tools Menu
My Account
Questions to Ask
Locating the My Account feature
How to use the My Account feature
Lockouts and Password Resets
Setting up Multi-Factor Authentication
Missing, lost, or stolen mobile devices: resetting Multi-Factor Authentication
Disabling Multi-Factor Authentication
Recovery Guidelines for MFA Administrators
FAQs
FormSense
Questions to Ask
Locating the FormSense feature
How to use the FormSense feature
FAQs
Grant Access
Project Grants vs Broad Grants (i.e. "Grant Access")
Questions to Ask
Locating the Project Grant feature
Locating the Grant Access feature
How to use the Grant Access feature
FAQs
Integration Guides & API
ePayments
Questions to ask yourself
How to Integrate with ePayment Provider
How to Set up ePayments on a Form
Managing ePayments
Reporting on ePayments
ePayments in Test Environments
How to add ePayments
FAQ
PowerClerk API
Integrating with the PowerClerk API
Questions to Ask
What is the PowerClerk API?
API Documentation for Developers
What can the PowerClerk API do?
Single Sign On (SSO)
Questions to Ask
PowerClerk SSO Configuration
SAML Config
OIDC Config
IDP Configuration Troubleshooting
FAQs
Integration Guide 001: How to configure an ArcGIS Connector – ArcGIS Implementation
Integration Guide 002: How to configure Electric Power Research Institute’s (EPRI) DRIVE Connect software with PowerClerk
PowerClerk Video Guides
Setting up Roll-up Reports
New User Video Guide
Configuring Forms
Roles and User Administration
Setting up Business Days
Formulas and Advanced Visibility Rules
Visualize Workflows
Dashboards
FormSense
Edit Forms - Tutorial #1
Milestones
ArcGIS
SFTP Automatic Data Import
Calculated Fields
Project Summary
Automation with Formulas in Action Rules
Web Connector Setup
Edit Forms - Tutorial #2
API
Build A Formula
Help Articles
How to Submit a Support Ticket
Understanding Your PowerClerk Program Design
Workflow
Forms
Automations
Communications
Data Fields
Deadlines
PowerClerk Program Launch
PowerClerk User Group Sessions (UGS)
Learning Management System (LMS)
Join us for Reflow!
NEW: PowerClerk Certifications

Single Sign On (SSO)

SSO provides added security and improves the login experience for utility program administrators. When admins are logged on to their internal networks, they can access PowerClerk without having to log in again.

SSO feature


Questions to ask yourself about SSO:

Why would I want to use SSO for my PowerClerk program?
Who in my agency’s IT department manages our Identity Provider?
How can I configure SSO for my program?




PowerClerk typically stores and manages credentials (email, password, and optional MFA) to enable users to log in and access programs. For additional security and easier user management, utilities may prefer to control PowerClerk access centrally through their own Identity Provider (IdP), which authenticates and authorizes users and can provide their role to PowerClerk.

  • SSO enables IT security teams at the utility to manage access for their employees in a single place for access to PowerClerk and other enterprise applications.
  • Users benefit from having the same credentials and authenticated session for all applications, meaning they do not need to sign in separately to each application.

Most SSO configurations are for utility program administrators. A supported but less common use case is to use SSO to manage access for approved trade partners or even customer applicants.
 

Front Page Link for SSO Login

Figure 1: Front Page Link for SSO Login

 

Supported Features
  • PowerClerk supports both of the industry standards for SSO: SAML 2.0, and OIDC (OpenID Connect).
  • PowerClerk has been integrated with many IdPs, including Microsoft Entra ID (Azure or on-prem AD), Okta, Auth0, and others.
  • Multiple SSO configurations can be supported for the same program to support different user domains.
  • PowerClerk supports SSO when switching between programs, with either a shared or separate configuration. With a valid authentication session, the user can switch programs without providing credentials again. Users might switch to programs that do not support SSO or for an IdP where they are not already logged in, in which case they will be prompted to sign in with those credentials.
  • PowerClerk can display a link on the sign-in page to start SSO (SP-initiated flow). PowerClerk can also support sign-in started from a utility portal (IdP-initiated flow).
  • User roles can be provided by the IdP (recommended), or a default role can be set at initial sign in then managed in PowerClerk.
  • PowerClerk uses the IdP only during sign in or switching programs. After that, there is no interaction between the PowerClerk and the IdP session.
General Configuration

We recommend testing SSO in a PCITrial sandbox. In production, SSO is an additional PowerClerk feature, not included with a standard license. Contact your CPR Account Executive to discuss adding a new IdP for SSO.
 
To initiate a request for SSO configuration, open a Support Ticket with the Customer Success team. You will need to decide each item on the checklist below to determine the user experience, then share the configuration details listed in either the SAML or OIDC sections for us to complete the setup.

      1. Which PowerClerk program(s) need SSO?

    • Provide the URL(s) of the program Home page in the ticket.
      2. Will sign in with PowerClerk credentials still be allowed?

    • Typically, yes. Applicants are usually not managed by the utility IdP and have their own PowerClerk login.
    • If no, should PowerClerk send all users to the same IdP, removing the project Front Page entirely.
      3. Should a “Sign in with” link appear on the PowerClerk sign-in page?

    • Usually, yes, but if SSO users are internal employees and they access PowerClerk via an application portal, the link may confuse applicants, so can be removed.
    • If available, the text of the sign in link can be customized. For example, from “Sign in with Entra”, using the IdP name, to “Utility employee sign in”.
      4. Should a default role be given to a user at the first sign in if one is not provided by the IdP, or should access be blocked?

    • Once SSO is active on your program, the Program Design Roles menu will have a new tab to configure Default Roles.
    Default Roles for SSO

    Figure 2: Default Roles for SSO
      5. Are users managed with SSO allowed to use the PowerClerk API?

    • If SSO users have an API Key, their client credentials authenticate directly with PowerClerk. Your security team may want to block this because API requests bypass the IdP.
      6. Should the SSO configuration be copied to PowerClerk Test Environments?

    • Usually, yes, for internal employee SSO.

      7. Will your IdP use SAML or OIDC?

    • SAML and OIDC each have their own configuration. Check the relevant section below for the requirements and configuration sharing.
SAML Configuration

The following details will be required by your IT team for your IdP configuration:
 

  1. The PowerClerk SP Entity Id. This can be a shared name for your PowerClerk programs, or unique for each program:

      Shared for all programs, less IdP configuration but harder to set up distinct users and roles:

    • Sandbox: https://cleanpowerdemo.com/PCITrial/
    • Production: https://powerclerk.com/
      Unique, recommended if programs have users with different roles per program. Use the hostname found in your program URL to replace the placeholder:

    • Sandbox: https://{hostname}.cleanpowerdemo.com/PCITrial/
    • Production: https://{hostname}.powerclerk.com/
  2. The ACS URL, the PowerClerk endpoint where the IdP posts the SAML response.

    • Sandbox: https://{hostname}.cleanpowerdemo.com/PCITrial/MvcAccount/Login/Acs
    • Production: https://{hostname}.powerclerk.com/MvcAccount/Login/Acs
  3. Assertion claims – SAML provides a token with user attributes. PowerClerk needs specific claims, except as indicated:

    • UserId – unique identifier between PowerClerk and the IdP. Email, names, and roles may change, but the UserId must not change.
    • FirstName – may be used by the PowerClerk program to address the user.
    • LastName – may be used by the PowerClerk program to address the user.
    • Email – may be used by PowerClerk as the user’s email address.
    • PowerClerkRoles (optional) – if provided, values must map to a program role.

You will need to provide the following to the PowerClerk Customer Success team via your assigned Customer Delivery Manager or the
PowerClerk ticket system:

  • The IdP Entity Id, a unique identifier of the IdP.
  • Which PowerClerk SP Entity Id was configured in the IdP (shared or unique).
  • The Sign On URL where PowerClerk will send a user to authenticate.
  • The Certificate in PEM format, provided securely as an attachment in the ticket. Certificates can be rotated, typically annually, by submitting a support ticket.


PowerClerk does not support relay states, logout URLs, claims namespaces, custom claims, assertion encryption, or exchanging configuration metadata files.
 

OIDC Configuration

The following details will be required by your IT team for your IdP configuration:
 

  1. The Redirect URL, the PowerClerk endpoint where the IdP will reply with an authentication token.

    • Sandbox: https://{hostname}.cleanpowerdemo.com/PCITrial/MvcAccount/Login/OAuth2Redirect
    • Production: https://{hostname}.powerclerk.com/MvcAccount/Login/OAuth2Redirect
  2. OIDC claims may be provided in an access token after successful authentication, or via a UserInfo endpoint accessed using an access token.

    3.  

  3. PowerClerk needs specific claims, except as indicated.
    • sub – unique identifier between PowerClerk and the IdP. Email, names, and roles may change but the sub must not change.
    • given_name – may be used by the PowerClerk program to address the user.
    • family_name – may be used by the PowerClerk program to address the user.
    • email – may be used by PowerClerk as the user’s email address.
    • PowerClerkRoles (optional) – if provided, values must map to a program role.

You will need to provide the following to the PowerClerk Customer Success team via your assigned Customer Delivery Manager or the
PowerClerk ticket system
 

  • Issuer URL which typically hosts the OIDC well-known configuration.
  • Client Id identifying the PowerClerk application (or specific program) at the IdP.
  • Client Secret which should be securely provided via the ticket system.
  • Scopes, if required, PowerClerk can include a list of scopes.

PowerClerk does not support decoding claims directly from an Id token.
 




Troubleshooting

If you run into issues during setup and testing, generally there is a mismatch between configurations. Use a browser in incognito mode, and open the developer tools to the network tab to capture the initial redirect to the IdP and callback to PowerClerk.
 
The following steps follow the SSO flow and describe where incorrect configuration will cause issues.
 
Step 1: The SSO flow begins by sending a user to the IdP sign-in page with some parameters. The user may click on a link on the PowerClerk page or be redirected automatically. In both cases, the IdP expects parameters matching its configuration. If the IdP immediately displays an error, the configuration is missing or mismatched.

    For SAML, check the following:

  • For an SP-initiated request, PowerClerk must have the correct Sign On URL to a reachable IdP endpoint.
  • The initial IdP request contains a SAMLRequest parameter. This is a Base64-encoded parameter that can be decoded for inspection.
  • Verify the decoded AuthnRequest values: the ACS URL and SAML Issuer (PowerClerk SP Entity Id) match the IdP configuration.
    For OIDC, check the following:

  • For an SP-initiated request, PowerClerk must have the correct Issuer URL to a reachable IdP endpoint.
  • The initial request contains the Client Id, Redirect URL, and optional scopes. These will be validated by the IdP.

Step 2: User authentication is completed on the IdP. If the account is not recognized or credentials are not valid, the issue may be the IdP’s user database.
 
Step 3: The IdP authorizes the user to access the PowerClerk application. If the user is not allowed access, the IdP typically reports an authorization or access error.
 
Step 4: After authentication and authorization, the IdP redirects the user back to PowerClerk with some information. If PowerClerk displays an error, the configuration is missing or mismatched.

      For SAML, check the following:

    • The IdP redirects the browser to the PowerClerk ACS URL with a SAMLResponse parameter containing a SAML assertion.
    • PowerClerk validates the SAML assertion with the Certificate. An invalid or certificate mismatch will result in a failure.
    • PowerClerk might report missing required claims, most frequently the UserId.
    • The SAMLResponse contains a Base64-encoded assertion that can be decoded for inspection. Verify the SAML Issuer matches the IdP Entity Id configured in PowerClerk.
    • The claims must include the SAML claims. Check the list of required SAML assertion claims are all included and valid.
      For OIDC, check the following:

    • The IdP redirects the browser to PowerClerk with an authentication code. PowerClerk will exchange this for an access token.
    • For a successful exchange, the Client Secret must match between PowerClerk and the IdP.
    • If available, PowerClerk calls the UserInfo endpoint to fetch the identity claims. Check PowerClerk has the correct UserInfo URL configured and the UserInfo list of required OIDC identity claims are all included and valid
    • If the UserInfo endpoint is not available and the access token is a JWT, PowerClerk will try to extract the OIDC identity claims from the access token.

Step 5: The user needs a valid role to access PowerClerk.

  • If the IdP provides a PowerClerkRoles claim, it must match one of the roles in the program. Mismatched role names or a missing role on PowerClerk will be rejected and block the user.
  • If the IdP does not provide a PowerClerkRoles claim and there is no default role for the IdP in the program, the user will be blocked.

 

SSO Role Assignment in PowerClerk

Figure 3: Single Sign On Role Assignment in PowerClerk

 
Support tickets requesting help with SSO trobleshooting should include the program URL and the IdP or IdP configuration (if more than one). Include descriptions and screenshots of the error. If possible, use the browser developer tools network log, as described in the steps above, to capture and include the request to the IdP and the redirect to PowerClerk. Do not include requests containing your credentials.

FAQs

Have additional questions? Contact us to nominate your FAQ and help others find answers to your own questions concerning this feature.

Create A Support Ticket

Not finding your answer here?  Submit a question to our support team at the PowerClerk Ticket System and leverage the PowerClerk team’s expertise.